[RESOLVED] ASP / Access - protecting from injections
Hi all,
I inherited some old ASP code, that I found out recently might have be potential SQL injection problem.
I've looked through Google and the threads here, and I understand the concept of SQL injections, but I'm not sure how to change my own code to protect it from injections. I'm not very strong with ASP.
All of the examples I've seen have code which is protecting against injection threats when a user inputs data into a field. In my case, the ASP code displays records in a database table, but does not take any user inputs.
Code:
Dim sql, rs, item_number
item_number = Request.QueryString("product_id")
sql = "SELECT * FROM products WHERE product_id=" & item_number
Set rs = objConn.Execute(sql)
If rs.EOF Then 'if no records
Response.Write("No record to display")
Else
%>
<p><%=rs("product_id") %></p>
<p><%=rs("product_title") %></p>
<p><%=rs("product_type") %></p>
<%
End if
%>
Will this code still be susceptible to SQL injections, even if I'm not accepting user inputs and just displaying records from a database, and if so, how can I guard against any potential injection threats?
Edit: Do I just change line 2 of the code from:
item_number = Request.QueryString("product_id")
Your solution is one way to avoid injection but it will only cause an error and what if no querystring variable is provided? That will throw an error too.
The best way to handle it would be to convert it to a zero if it is not a valid numeric value, then your recordset would simply show no results.
Code:
item_number = Request.QueryString("product_id")
If item_number = "" then item_number = 0
If not isnumeric(item_number) then item_number = 0
That's all you need to do, now you let your query run no matter what is passed.
[RESOLVED] ASP / Access - protecting from injections
Reply With Quote
Bookmarks